12 changes: 12 additions & 0 deletions app/models/setting.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,8 @@ class Setting < ActiveRecord::Base
#
def self.get_for(user_id, category=nil)

SqlHelper.validate_token([user_id, category])

con = []
con << "(user_id=#{user_id})"
con << "(category='#{category}')" unless category.nil?
Expand Down Expand Up @@ -58,6 +60,8 @@ def self.get_for(user_id, category=nil)
#
def self.get_value(user_id, category, key)

SqlHelper.validate_token([user_id, category, key])

con = []
con << "(user_id=#{user_id})"
con << "(category='#{category}')"
Expand All @@ -81,6 +85,8 @@ def self.get_value(user_id, category, key)
#
def self.save_value(user_id, category, key, value)

SqlHelper.validate_token([user_id, category, key])

con = []
con << "(user_id=#{user_id})"
con << "(category='#{category}')"
Expand Down Expand Up @@ -118,6 +124,8 @@ def self.save_value(user_id, category, key, value)
#
def self.get_for_group(group_id, category=nil)

SqlHelper.validate_token([group_id, category])

con = []
con << "(group_id=#{group_id})"
con << "(category='#{category}')" unless category.nil?
Expand Down Expand Up @@ -146,6 +154,8 @@ def self.get_for_group(group_id, category=nil)
#
def self.get_group_value(group_id, category, key)

SqlHelper.validate_token([group_id, category, key])

con = []
con << "(group_id=#{group_id})"
con << "(category='#{category}')"
Expand All @@ -169,6 +179,8 @@ def self.get_group_value(group_id, category, key)
#
def self.save_group_value(group_id, category, key, value)

SqlHelper.validate_token([group_id, category, key])

con = []
con << "(group_id=#{group_id})"
con << "(category='#{category}')"
Expand Down
20 changes: 11 additions & 9 deletions app/models/team.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -365,6 +365,7 @@ def get_team_folder
#
def self.get_team_folder(team_id)

SqlHelper.validate_token([team_id])
begin
return Folder.where("(owner_id=#{team_id}) and (xtype='#{Folder::XTYPE_TEAM}')").first
rescue => evar
Expand Down Expand Up @@ -397,23 +398,24 @@ def create_team_folder
#
#Removes applications of the specified Users.
#
#_users_:: Array of User-IDs.
#_user_ids_:: Array of User-IDs.
#
def remove_application(users)
def remove_application(user_ids)

return if users.nil? or users.empty?
return if user_ids.nil? or user_ids.empty?

array = ["(xtype='#{Comment::XTYPE_APPLY}')"]
array << "(item_id=#{self.item_id})"
SqlHelper.validate_token([user_ids])

con = ["(xtype='#{Comment::XTYPE_APPLY}')"]
con << "(item_id=#{self.item_id})"

user_con_a = []
users.each do |user_id|
user_ids.each do |user_id|
user_con_a << "(user_id=#{user_id})"
end

array << '(' + user_con_a.join(' or ') + ')'
con << '(' + user_con_a.join(' or ') + ')'

Comment.destroy_all(array.join(' and '))
Comment.destroy_all(con.join(' and '))
end

end
23 changes: 17 additions & 6 deletions app/models/timecard.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -422,12 +422,14 @@ def _get_break_span(break_start, break_end)
#Gets Timecard of the specified User and Date.
#
#_user_id_:: Target User-ID.
#_date_:: Target Date.
#_date_s_:: Target Date string.
#return:: Timecard for the specified User and Date.
#
def self.get_for(user_id, date)
def self.get_for(user_id, date_s)

SqlHelper.validate_token([user_id, date_s])
begin
con = "(user_id=#{user_id}) and (date='#{date}')"
con = "(user_id=#{user_id}) and (date='#{date_s}')"
return Timecard.where(con).first
rescue
end
Expand All @@ -444,7 +446,13 @@ def self.get_for(user_id, date)
#return:: Timecard for the specified User and span.
#
def self.find_term(user_id, start_date, end_date)
con = "(user_id=#{user_id}) and (date >= '#{start_date}') and (date <= '#{end_date}')"

SqlHelper.validate_token([user_id])

start_s = start_date.strftime(Schedule::SYS_DATE_FORM)
end_s = end_date.strftime(Schedule::SYS_DATE_FORM)

con = "(user_id=#{user_id}) and (date >= '#{start_s}') and (date <= '#{end_s}')"
ary = Timecard.where(con).order('date ASC').to_a
timecards_h = Hash.new
unless ary.nil?
Expand All @@ -466,9 +474,12 @@ def self.find_term(user_id, start_date, end_date)
#
def self.applied_paid_hlds(user_id, start_date, end_date)

SqlHelper.validate_token([user_id, start_date, end_date])
SqlHelper.validate_token([user_id])

start_s = start_date.strftime(Schedule::SYS_DATE_FORM)
end_s = end_date.strftime(Schedule::SYS_DATE_FORM)

sql = "SELECT COUNT(*) FROM timecards WHERE user_id = #{user_id} AND date >= '#{start_date}' AND date <= '#{end_date}'"
sql = "SELECT COUNT(*) FROM timecards WHERE user_id = #{user_id} AND date >= '#{start_s}' AND date <= '#{end_s}'"

sum = 0.0
self.workcodes.each do |key, params|
Expand Down
2 changes: 2 additions & 0 deletions app/models/toy.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -194,6 +194,8 @@ def self.on_desktop?(user, xtype, target_id)

return false if user.nil? or xtype.nil? or target_id.nil?

SqlHelper.validate_token([xtype, target_id])

con = "(user_id=#{user.id}) and (xtype='#{xtype}') and (target_id=#{target_id})"

begin
Expand Down
10 changes: 9 additions & 1 deletion app/models/user.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,8 @@ def self.authenticate(attrs)
name = attrs[:name]
password = attrs[:password]

SqlHelper.validate_token([name])

pass_md5 = UsersHelper.generate_digest_pass(name, password)

return User.where("(name='#{name}') and (pass_md5='#{pass_md5}')").first
Expand Down Expand Up @@ -529,6 +531,8 @@ def get_name_for_timecard(yaml=nil)
#
def self.get_from_name(user_name)

SqlHelper.validate_token([user_name])

begin
user = User.where("name='#{user_name}'").first
rescue => evar
Expand Down Expand Up @@ -775,7 +779,8 @@ def get_my_folder
#
def self.get_my_folder(user_id)

return Folder.where("(owner_id=#{user_id}) and (xtype='#{Folder::XTYPE_USER}')").first
SqlHelper.validate_token([user_id])
return Folder.where("(owner_id=#{user_id}) and (xtype='#{Folder::XTYPE_USER}')").first
end

#=== create_my_folder
Expand Down Expand Up @@ -1156,6 +1161,7 @@ def self.update_xorder(title, order)
con = ['title=?', title]
end

SqlHelper.validate_token([order])
User.update_all("xorder=#{order}", con)
end

Expand All @@ -1182,6 +1188,8 @@ def self.rename_title(org_title, new_title)
#
def get_project_application(item_id)

SqlHelper.validate_token([item_id])

con = "(item_id=#{item_id}) and (user_id=#{self.id}) and (xtype='#{Comment::XTYPE_APPLY}')"
begin
comment = Comment.where(con).first
Expand Down
10 changes: 5 additions & 5 deletions app/views/common/_edit_scope.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
scope_tabs = new Array("groups", "teams");
</script>

<table cellspacing="0" cellpadding="0" style="width:100%;">
<table style="width:100%; border-spacing:0px;">
<tr>
<td style="vertical-align:top;">
<table cellspacing="2" cellpadding="0" style="width:100%;">
Expand All @@ -23,7 +23,7 @@ scope_tabs = new Array("groups", "teams");
<td style="border:solid 1px gray; background-color:#FFFAFD;">

<div id="tab_div_groups" style="display:none;">
<table cellspacing="0" cellpadding="0" style="width:100%; padding:5px 10px;">
<table style="width:100%; padding:5px 10px; border-spacing:0px;">
<tr>
<td>
<%
Expand All @@ -45,7 +45,7 @@ scope_tabs = new Array("groups", "teams");
<tr style="height:5px;"><td></td></tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" style="width:100%;">
<table style="width:100%; border-spacing:0px;">
<tr>
<td style="text-align:left; vertical-align:bottom; width:33%;" >
<%= t('group.plural') %><%= t('cap.suffix') %>
Expand All @@ -72,7 +72,7 @@ scope_tabs = new Array("groups", "teams");
</table>
</div>
<div id="tab_div_teams" style="display:none;">
<table cellspacing="0" cellpadding="0" style="width:100%; padding:5px 10px;">
<table style="width:100%; padding:5px 10px; border-spacing:0px;">
<tr>
<td>
<%
Expand All @@ -94,7 +94,7 @@ scope_tabs = new Array("groups", "teams");
<tr style="height:5px;"><td></td></tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" style="width:100%;">
<table style="width:100%; border-spacing:0px;">
<tr>
<td style="text-align:left; vertical-align:bottom; width:33%;" >
<%= t('team.plural') %><%= t('cap.suffix') %>
Expand Down
10 changes: 5 additions & 5 deletions app/views/schedules/_edit_members.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ tabs = new Array("users", "groups", "teams");
<td style="border:solid 1px gray; background-color:#FFFAFD;">

<div id="tab_div_users">
<table cellspacing="0" cellpadding="0" style="width:100%; padding:5px 10px;">
<table style="width:100%; padding:5px 10px; border-spacing:0px;">
<tr>
<td>
<select id="users_selected" name="users[]" class="select_multi" size="5" multiple="multiple">
Expand All @@ -52,7 +52,7 @@ tabs = new Array("users", "groups", "teams");
</table>
</div>
<div id="tab_div_groups" style="display:none;">
<table cellspacing="0" cellpadding="0" style="width:100%; padding:5px 10px;">
<table style="width:100%; padding:5px 10px; border-spacing:0px;">
<tr>
<td>
<%
Expand All @@ -74,7 +74,7 @@ tabs = new Array("users", "groups", "teams");
<tr style="height:5px;"><td></td></tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" style="width:100%;">
<table style="width:100%; border-spacing:0px;">
<tr>
<td style="text-align:left; vertical-align:bottom; width:33%;" >
<%= t('group.plural') %><%= t('cap.suffix') %>
Expand All @@ -101,7 +101,7 @@ tabs = new Array("users", "groups", "teams");
</table>
</div>
<div id="tab_div_teams" style="display:none;">
<table cellspacing="0" cellpadding="0" style="width:100%; padding:5px 10px;">
<table style="width:100%; padding:5px 10px; border-spacing:0px;">
<tr>
<td>
<%
Expand All @@ -123,7 +123,7 @@ tabs = new Array("users", "groups", "teams");
<tr style="height:5px;"><td></td></tr>
<tr>
<td>
<table cellspacing="0" cellpadding="0" style="width:100%;">
<table style="width:100%; border-spacing:0px;">
<tr>
<td style="text-align:left; vertical-align:bottom; width:33%;" >
<%= t('team.plural') %><%= t('cap.suffix') %>
Expand Down
2 changes: 1 addition & 1 deletion app/views/send_mails/edit_send_to.html.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -89,7 +89,7 @@ tabs_send_mail_address.push("users");
end
disp << "<#{mail_addr}>"

user = User.where("email='#{mail_addr}'").first
user = User.where(email: mail_addr).first
if user.nil?
entry_val = disp
else
Expand Down
7 changes: 4 additions & 3 deletions app/views/timecards/group.html.erb
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
<% HistoryHelper.set_back(request) %>

<% date_s = @date.strftime(Schedule::SYS_DATE_FORM) unless @date.nil? %>
<%
date_s = @date.strftime(Schedule::SYS_DATE_FORM) unless @date.nil?
%>

<%= render(:partial => 'common/jkl_calendar_init') %>

Expand Down Expand Up @@ -76,7 +77,7 @@ else
@selected_users.each_with_index do |user, idx|
bgcolor = (idx % 2 == 1) ? 'gainsboro' : 'white'

timecard = Timecard.get_for(user.id, @date)
timecard = Timecard.get_for(user.id, date_s)
timecard = Timecard.new if timecard.nil?
%>
<tr style="background-color:<%= bgcolor %>;">
Expand Down